Security researchers have released a new study claiming infamous crypto-ransomware TorrentLocker has now infected over 40,000 users around the world, encrypting nearly 300 million documents in the process.
TorrentLocker was originally given its moniker back in August when security intelligence firm iSight Partners named it after the registry key used to store configuration information – ‘Bit Torrent Application’.
It’s also named ‘Racketeer’ by the gang that controls it, or Win32/Filecoder.DI, to give it its technical title.
In a new white paper, Eset researcher Marc-Étienne Léveillé explained that the ransomware – which encrypts victims’ data on execution – has so far infected 39,670 systems.
Although only around 1.5% of victims have paid up, this has still made the gang behind it anywhere between US$292,700 and US$585,401 in bitcoins.
Over 285m documents have been encrypted so far thanks to TorrentLocker in just 10 months in the wild, the report claimed.
Despite the relative success of the campaign, those behind it continue to target the malicious spam which carries the malware at a select group of 13 countries in Europe, Canada and Australia.
That email uses social engineering and a localized message to persuade the recipient to open a document containing the hidden malicious executable or click on a malicious link.
Once TorrentLocker is executed, it will encrypt the victim’s documents, pictures and other data and pop-up a ransom screen containing a link to the payment page reachable via Tor.
“There are references to the infamous CryptoLocker on the page. Despite the use of the CryptoLocker logo, it is not related to the same malware family,” the report added. “This is possibly a trick to mislead victims searching for help or just because authors were too lazy to give them an original brand.”
Ken Westin, security analyst at Tripwire, argued that we can expect more widely distributed and increasingly sophisticated ransomware next year, given that it’s beginning to appear for sale on underground forums.
“Criminal syndicates have found a way to generate revenue from their exploits, paired with the anonymity of bitcoin making it difficult if not impossible for law enforcement to go after the culprits,” he added.
“We will see more sophisticated versions of ransomware in the future and not just individuals’ systems, but also entire networks, once a group finds a way to turn a profit, more groups will follow in short order.”
Proofpoint’s VP of advanced security and governance, Kevin Epstein, argued that the success of TorrentLocker proves that the weakest link in security “sits between the mouse and the chair.”
“It's increasingly difficult for even sophisticated users to detect phishing emails – so just don't click on URLs,” he said.
“Go directly to the name-brand websites in question, being sure you typed in the URL correctly and log in to your accounts directly to check orders – or call the phone number on the back of your credit card, not the one in the 'bank warning' email you received."